Freeradius + Active Directory
Phil Mayers
p.mayers at imperial.ac.uk
Thu Oct 21 20:02:42 CEST 2010
On 10/21/2010 06:40 PM, Rowley, Mathew wrote:
> I am kind of confused - one of our use cases is having our wireless
> infrastructure authenticating through freeradius and in the end AD. Why
> would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something
> like:
>
> User----AP----Controller----freeradius----AD
> Anything-auth radius kerberos
> Controller configured
This is an FAQ, and you can find plenty of discussion on the list, or
see here:
http://deployingradius.com/documents/protocols/compatibility.html
Suffice to say that there are many different ways to interact with AD,
and the different protocols (kerberos, ldap, NT domain RPCs) have very
different capabilities.
Only one method can authenticate 802.1x from stock windows clients
against Active Directory using username/password credentials, and that
is the "mschap" module using Samba & domain RPCs via the ntlm_auth
helper binary. This is a fundamental cryptographic property of the
EAP-PEAP/MSCHAP protocols which windows supports.
If you install additional 802.1x supplicant software on your windows
clients, you can use another eap method which does send plaintext
passwords to the server (e.g. EAP-TTLS/PAP) and rlm_krb5 will be able to
process those.
More information about the Freeradius-Users
mailing list